FIDO2 Security Key Auth
This setup uses a FIDO2 security key through pam-u2f. The key becomes the preferred local authentication path for sudo, polkit prompts, and Hyprlock, while the account password stays available as fallback.
The daily path is touch-only. Do not add pinverification=1 unless you want the security-key PIN on every sudo, pkexec, and Hyprlock authentication.
It does not change LUKS disk decryption. Boot still uses the LUKS passphrase unless a separate LUKS token setup is configured.
Start with the Omarchy menu
Section titled “Start with the Omarchy menu”Use Omarchy’s built-in FIDO2 setup first:
- Open the Omarchy menu.
- Go to Setup.
- Go to Security.
- Choose Fido2.
- Touch the security key when prompted.
- Let the script test
sudobefore closing the terminal.
The setup installs libfido2 and pam-u2f, registers the key with pamu2fcfg, stores the mapping at /etc/fido2/fido2, and adds pam_u2f.so to sudo and polkit-1.
The default Omarchy setup is touch-based. Keep that behaviour for daily use, then add Hyprlock manually.
Confirm sudo and polkit
Section titled “Confirm sudo and polkit”Use this touch-only line in /etc/pam.d/sudo and /etc/pam.d/polkit-1:
auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] authfile=/etc/fido2/fido2Keep the existing password lines below it. With sufficient, a successful security-key auth skips the password prompt; failure falls through to the password fallback.
Add Hyprlock
Section titled “Add Hyprlock”Hyprlock uses its own PAM service. Omarchy’s FIDO2 setup does not add this line automatically, so prepend it to /etc/pam.d/hyprlock:
auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] authfile=/etc/fido2/fido2Leave the default auth include login line below it so the normal password unlock still works.
Update the lock-screen prompt
Section titled “Update the lock-screen prompt”Hyprlock config is stowed from the dotfiles repo. Edit the active host source, not Omarchy’s upstream config directory:
~/.config/dotfiles/hypr/.config/hypr/hosts/<host>/hyprlock.confUse generic security-key wording so the config works with non-Yubico keys too:
input-field { placeholder_text = <span> Touch Security Key or Type Password </span> check_text = <i>Touch your security key</i>}If the fingerprint setup script was run on a machine without a fingerprint reader, disable Hyprlock fingerprint auth in the same file:
auth { fingerprint:enabled = false}Apply the stowed config:
dot stowhyprctl configerrorsRemove fingerprint leftovers
Section titled “Remove fingerprint leftovers”If Omarchy’s fingerprint setup was run by mistake, remove its PAM lines and packages:
pkexec sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo /etc/pam.d/polkit-1pkexec pacman -Rns fprintd libfprint-gitKeep fingerprint:enabled = false in the stowed Hyprlock config.
PIN mode
Section titled “PIN mode”pinverification=1 is stricter, but pam-u2f prompts for the security-key PIN on every PAM authentication. It does not cache the PIN for the whole login session.
Use PIN mode only if that tradeoff is intentional:
auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] pinverification=1 authfile=/etc/fido2/fido2Test order
Section titled “Test order”Test each layer before relying on it:
- Run
sudo -k, thensudo true. - Touch the security key when prompted.
- Trigger a polkit prompt if convenient.
- Lock the screen with Hyprlock while another session or terminal remains available.
- Test password fallback by trying without the security key.
Rollback
Section titled “Rollback”Restore the backed-up PAM files, or remove only the added pam_u2f.so line from /etc/pam.d/hyprlock if the lock screen is the only broken part.
Do not delete /etc/fido2/fido2 unless you are fully removing FIDO2 auth.